the sign, and still opt to enter that space, this demonstrates their consent. In some circum- stances, an optional unmonitored passage needs to be conveniently available to ensure willing consent. Additionally, there are legal limitations to storage duration of CCTV re- cordings fulfilling a GDPR principle of “en- sure erasure when no longer needed.”
Biometrics—Entering the Mainstream
The implications of GDPR go beyond basic CCTV cameras though. Increasingly, or- ganizations are opting to deploy biometric systems to identify opted-in users for access control and security purposes. Biometrics are being selected both for their enhanced security, convenience and increased efficien- cy. Biometric data, good for identification, whether it visual identification data such as face templates or body behavior data, or oth- er types of biometric information including fingerprints or iris scans would be included as Personally Identifiable Information (PII) under GDPR.
With visual identification in particular, which can be passively collected using stan- dard CCTV cameras (unlike fingerprints or iris scans, which must be actively provided by a user), GDPR can pose some serious con- siderations.
What do you do with the data of all the people who pass by the camera, yet have not opted into the system? What about people who have opted in, but would like to opt-out now? How long can biometric data of sub- jects be stored when they have not specifical- ly provided consent? And, for what purpose?
What of the
Technology Provider?
It is important to note that the provider of the data collecting and processing technolo- gy is neither the processor, nor the controller of subjects’ data under GDPR.
To illustrate, computers and smartphones are used for many useful tasks: work, design, programming, entertainment, community, dating, picture albums and more. But, when used to commit an offence such as hacking into other systems, violation of media own- ership rights, illegal darknet trades which are considered as crimes, would the computer or operating system software manufacturer be brought to trial for theft? Of course not. The person orchestrating the offence would be held responsible. No one thinks to outlaw computers and smartphones, when they serve such fundamentally positive purposes as well.
So, too, with personal data collection. The provider of the data collecting tools and technologies will not be held responsible when an organization collects or uses such personal data incorrectly. However, the tech- nology provider does have responsibilities to
enable and ensure that organizations are well equipped to comply with the regulation.
Responsibilities as a Technology Provider
As a provider of biometric identification technology, it is our responsibility and com- mitment to the organizations we work with to support the application of GDPR.
To that end, it is clear that technology providers must:
• Provide the tools necessary for organiza- tions to be able to not save the data of a subject’s data who is not enrolled in the system, or someone who was enrolled and opted out. Technology providers have a responsibility to create this capability.
• Ensure that subject data would not be manipulated without authorization and would be protected from security breach- es. That’s why it is vital for all data col- lected to be hashed and encrypted, so that if there is a data breach and information is possibly stolen, it is not usable. This protects the organization in the event of a breach from the serious penalties that can be incurred under GDPR.
• Provide audited interfaces and tools to enable the organization to provide a data subject with a copy of the personal data saved in the system, ability to correct it or be forgotten when needed.
How GDPR Will
Evolve in the Future Ultimately, GDPR will be implemented in the EU and could be further enhanced ac- cording to norms for each member state. This is changing as well. The public is begin-
ning to understand the efficiency that bio- metric identification brings with it. People like the idea of walking into their favorite shop and being welcomed by name.
Air travelers appreciate the convenience of passport control being automatically handled through biometrics without having to stand in the regular queue.
Of course, there will always be those who prefer to remain as anonymous as possible, and it is up to those involved in all perspec- tives related to GDPR to make sure anonym- ity is available.
The Changing Times
The trend is in favor of the public trading off some level of anonymity for the benefits that data-based identification can bring. Surveys show that up to 95 percent of people are in- terested in providing personal information when they stand to receive tangible benefits.
We should all support what GDPR is try- ing to accomplish. After all, privacy is still extremely important to people around the world. Yet, we have to periodically reexam- ine the degree to which there is a demand for what GDPR protects (namely, personal privacy), and make adjustments to the laws accordingly.
In that way, we can continue to move for- ward, allowing technology to increase safety, convenience and efficien-
cy in our lives without
compromising the pri-
vacy we all consider to be
of sacred status.
Arie Melamed is the CMO at FST Biometrics.
46
0418 | SECURITY TODAY
BIOMETRICS
Artem Oleshko/Shutterstock.com